CN114301640B - Attack and defense exercise method and system based on SRv6 network protocol - Google Patents
Attack and defense exercise method and system based on SRv6 network protocol Download PDFInfo
- Publication number
- CN114301640B CN114301640B CN202111533299.3A CN202111533299A CN114301640B CN 114301640 B CN114301640 B CN 114301640B CN 202111533299 A CN202111533299 A CN 202111533299A CN 114301640 B CN114301640 B CN 114301640B
- Authority
- CN
- China
- Prior art keywords
- attack
- defense
- network
- attacked
- exercise
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
A method and a system for attack and defense exercise based on SRv6 network protocol, S1: first attack and defense exercise; s1.1: the simulated attack network device sends an attack instruction to the attacked network device; s1.2: the attacked network equipment receives the attack instruction and performs self-simulation attack and defense exercise according to the attack and defense program contained by the attacked network equipment; s1.3: the attacked network equipment sends the self-attack and defense exercise result data to the analysis equipment; s2: attack and defense exercise for the second time; s2.1: the analysis device attacks the attacked network device; the attacked device defends through a defending program of the attacked device; s2.2: the attacked network equipment transmits exercise result data of attack and defense by the analysis equipment to the analysis equipment; s3: the analysis device analyzes according to the result of the first attack and defense exercise and the result data of the second attack and defense exercise in the round. By means of the scheme, attack and defense exercises are intelligently simulated, SRv network equipment and transmission defense capacity are improved.
Description
Technical Field
The application relates to the technical field of network attack defense, in particular to a method and a system for attack and defense exercise based on SRv6 network protocol.
Background
With the rapid development of computer technology, information networks have become an important guarantee of social development. Under the large background of the cloud network convergence age, the flexible and agile network service capability directly influences the competitiveness of operators. SR (Segment Routing) is one of source routing technologies, SRv is an application of SR technology in IPv6 networks. SRv6 is a huge innovation, and combines SDN technology to enable a programmable network, so that innovative soil is provided for network basic services and value-added network services in the cloud network era. Under the large network scale, the security test of the SRv network is carried out by periodically inspecting holes and scanning, so that the timeliness requirement is difficult to be met, and a more intelligent attack and defense exercise simulation method is introduced to improve the defending capability of SRv network equipment and transmission.
Disclosure of Invention
Aiming at the defects in the prior art, the application provides a method and a system for attack and defense exercise based on SRv6 network protocol. Aiming at the problems of large network service scale, complex application relation, multiple dependency layers and difficult inquiry problem in a machine room operation and maintenance scene, and the problem that the security test of the SRv network by periodically inspecting holes is difficult to achieve the timeliness requirement, a more intelligent attack and defense simulation exercise method is introduced to improve the defending capability of SRv network equipment and transmission.
In order to achieve the above purpose, the present application adopts the following technical scheme:
a method for attacking and defending exercise based on Markov chain combination SRv, which comprises the following steps:
s1: first attack and defense exercise;
s1.1: the simulated attack network device sends an attack instruction to the attacked network device;
s1.2: after the attacked network equipment receives the attack instruction, self-attack and self-defense simulation attack and defense exercise are carried out according to the attack program and the defense program contained by the attacked network equipment;
s1.3: the attacked network equipment sends the self-attack and defense exercise result data to the analysis equipment;
s2: attack and defense exercise for the second time;
s2.1: the analysis device attacks the attacked network device; the attacked device defends through a defending program of the attacked device;
s2.2: the attacked network equipment transmits exercise result data of attack and defense by the analysis equipment to the analysis equipment;
s3: the analysis device analyzes according to the result of the first attack and defense exercise and the result data of the second attack and defense exercise in the round.
In order to optimize the technical scheme, the specific measures adopted further comprise:
further, the simulated attack network equipment and the attacked network equipment are communicated through a SRv production environment main network; the analysis device is deployed in a non-SRv 6 production environment.
Further, the specific content of step S1.1 is:
the simulated attack network device takes the attack information instruction identifier Local Start as an original message, packages the message by using an SRH format and then sends the message to a network port of the attacked network device.
Further, the specific content of the attack of the analysis device to the attacked network device in step S2.1 is:
the analysis equipment combines the attack program, the flow distributed by the flow divider and the SRv protocol as original messages, uses the SRH format to package the messages and then sends the messages to the network port of the attacked network equipment.
Further, the specific content of step S3 is:
s3.1: the analysis equipment acquires attack success probability a and defense success probability b in a first attack and defense exercise result and a second attack and defense exercise result in the round according to a historical database, wherein a+b=1;
s3.2: the analysis equipment analyzes that the probability of keeping the success of the attack in the next round is c under the condition of success of the attack according to the historical database, and the probability of transferring the next round to the success of defending is d under the condition of success of the attack; the probability of successful attack is e in the next round of transition in the case of successful defense, and the probability of successful defense is f in the next round of transition in the case of successful defense; wherein c+d=1, e+f=1;
s3.3: the analysis equipment calculates the probability g of successful attack and the probability h of successful defense in the next round of attack and defense exercise result; wherein g=a×c+b×e; h=a+b+f; and g+h=1.
Further, a system for attack and defense exercise based on Markov chain combination SRv comprises
The simulated attack network device is used for simulating the attack network device to send an attack instruction to the attacked network device;
the attacked network equipment is used for carrying out self-attack and self-defense simulation attack and defense exercise according to the attack program and the defense program contained by the attacked network equipment after receiving the attack instruction; and transmitting the result data of the self-attack and defense exercise to analysis equipment;
the analysis device is used for attacking the attacked network device; the attacked device defends through a defending program of the attacked device; the attacked network equipment transmits exercise result data of attack and defense by the analysis equipment to the analysis equipment; and the analysis equipment analyzes according to the attack and defense exercise result data.
Further, the simulated attack network equipment and the attacked network equipment are communicated through a SRv production environment main network; the analysis device is deployed in a non-SRv 6 production environment.
Further, the specific content of the simulated attack network device sending the attack instruction to the attacked network device is as follows:
the simulated attack network device is used for taking the attack information instruction identifier Local Start as an original message, packaging the message by using an SRH format and then transmitting the message to a network port of the attacked network device.
Further, the specific content of the attack of the analysis device to the attacked network device is as follows:
the analysis device is used for combining the attack program of the analysis device, the flow distributed by the flow divider and the SRv protocol as an original message, and sending the original message to the network port of the attacked network device after the message is packaged by using the SRH format.
Further, the specific content of the analysis device for analysis according to the attack and defense exercise result data is as follows:
the analysis equipment is used for acquiring attack success probability a and defense success probability b in a first attack and defense drilling result and a second attack and defense drilling result in the round according to the historical database, wherein a+b=1;
the analysis equipment is used for analyzing that the probability of keeping the success of the attack in the next round is c under the condition that the attack is successful according to the historical database, and the probability of transferring the attack to the defending success in the next round is d under the condition that the attack is successful; the probability of successful attack is e in the next round of transition in the case of successful defense, and the probability of successful defense is f in the next round of transition in the case of successful defense; wherein c+d=1, e+f=1;
the analysis equipment is used for calculating the probability g of successful attack and the probability h of successful defense in the next round of attack and defense exercise result; wherein g=a×c+b×e; h=a+b+f; and g+h=1.
The beneficial effects of the application are as follows:
1. in each round of attack test, the application adopts two times of simulated attack tests, wherein the first time of simulated attack test is to send an attack instruction by the simulated attack network equipment, and the self-attack and defense exercise is carried out by the self-attack program and the defense program after the attacked network equipment receives the instruction; because the simulated attack network equipment and the attacked network equipment are both in the SRv production environment main network, the method and the device do not directly adopt the attack program to attack in the first attack test, but send the attack instruction by the simulated attack network equipment, and the condition of saving the bandwidth resource utilization rate of the production environment main network can be saved to the maximum extent by only sending one instruction.
2. In each round of attack test, the application adopts two times of simulated attack tests, the second time of simulated attack test analysis equipment attacks the attacked network equipment through an attack program, and the attacked network equipment carries out self-defense through a self-defense program; in the second attack test, the analysis equipment is deployed in a non-production environment, and the simulation attack and defense exercise is performed by utilizing a non-main network specially opened in SRv, so that the situation that the bandwidth resource of the main network of the production environment is occupied greatly due to the simulation attack and defense is avoided to the maximum extent.
3. In each round of attack test, the application adopts two simulated attack tests, wherein the first simulated attack is to initiate attack internally and perform internal defense exercise; the second simulation attack is a defensive exercise of the attack from outside to inside. Security problems at different angles can be found through two attack modes, so that the effectiveness of the security protection is enhanced.
4. And calculating the attack success probability and the defense success probability in the next round of simulated attack test through the data, so that a reference is provided for the missing detection and the missing detection of a subsequent system better according to the predicted condition.
Drawings
Fig. 1 is a schematic diagram of calculating attack success probability and defense success probability of the next round in an embodiment of the present application.
Detailed Description
The application will now be described in further detail with reference to the accompanying drawings.
The attack and defense exercise device consists of three parts. The simulated attack network equipment is responsible for sending an attack signal instruction, the analysis equipment is responsible for collecting an attack and defense drilling analysis result and sending attacks for the second time, and network outlets of the attacked equipment are all deployed SRv. The attack and defense program consists of an attack program and a defense program. The simulated attack network equipment and the attacked network equipment are communicated through a SRv production environment main network, the analysis equipment is deployed in a non-production environment main network, and the analysis equipment performs secondary attack simulation test and is connected with the attacked network equipment. One round of testing was as follows.
Step one, first simulation attack and defense drilling: the simulated attack network equipment sends an attack signal instruction to the attacked network outlet equipment in the SRv network, and the attacked network equipment executes an attack program deployed on the attacked network equipment after receiving the attack signal instruction and defends through a defending program of the attack network equipment;
in the first attack and defense simulation exercise, an attack program on the simulated attack network equipment combines with SRv6 protocol to take the Local Start of an attack sending signal instruction as an original message, and the Local Start is packaged and sent to an attacked network port by using SRH format message, so that the Local self-exercise is performed to simulate attack and defense, and finally the analysis result of the attack and defense exercise message is reported to analysis equipment. Thereby saving the condition of the bandwidth resource utilization rate of the main network in the production environment to the maximum extent.
Step two, simulating attack and defense exercise for the second time: the attack program deployed on the analysis device uses the SRH format message Wen Fengzhuang to send the attack traffic distributed by the splitter to the outlets of the attacked network devices in combination with the SRv protocol as an original message. And finally reporting the analysis result of the attack and defense exercise message to analysis equipment. The simulation attack performs simulation attack and defense exercise by utilizing a non-main network specially opened in SRv6, so that the situation that the bandwidth resource of the main network of the production environment is occupied greatly due to the simulation attack and defense is avoided to the greatest extent.
And thirdly, analyzing the IPv6 message information sent by the network outlet of the twice attacked device by the analysis device to obtain a twice attack and defense analysis result. And comparing the analysis results of the first and second attack results to comprehensively judge the security of the network outlet of the attacked network, thereby pertinently enhancing the network outlet defense capability.
Step four, refer to fig. 1. The analysis equipment analyzes according to the result of the first attack and defense exercise and the result data of the second attack and defense exercise in the round (two simulated attack tests in one round), and specifically comprises the following steps:
the analysis equipment acquires attack success probability a and defense success probability b in a first attack and defense exercise result and a second attack and defense exercise result in the round according to a historical database, wherein a+b=1;
the analysis equipment analyzes that the probability of keeping the success of the attack in the next round is c under the condition of success of the attack according to the historical database, and the probability of transferring the next round to the success of defending is d under the condition of success of the attack; the probability of successful attack is e in the next round of transition in the case of successful defense, and the probability of successful defense is f in the next round of transition in the case of successful defense; wherein c+d=1, e+f=1;
the analysis equipment calculates the probability g of successful attack and the probability h of successful defense in the next round of attack and defense exercise result; wherein g=a×c+b×e; h=a+b+f; and g+h=1.
The calculation mode of the probability a of successful attack in the round is as follows: the database obtains the number of times of attack success in the round, and divides the number of times by the total simulation number of times in the round to obtain the probability a.
The calculation mode of the probability b of successful defense in the round is as follows: the database obtains the number of times of successful defense in the round, and divides the number of times by the total simulation number in the round to obtain the probability b.
The calculation mode of the probability d (transition probability of the next round) that the next period of transition in the probability a of attack success in the round is as follows: the total attack success rate x (total attack success times/total simulation times) in history (the number of the current round and the previous round) is known through a history database; obtaining the attack success probability a (the number of times of attack success per round/the total simulation number of the round) in the round through a historical database; calculating the probability d of successful defense in the next round of transition in the probability a of successful attack in the round, wherein d=s+ (x-a); where s is a threshold value, c+d=1, and c can be obtained.
For example, the historical total attack success rate x=30% =0.3, the present round of attack success rate a=28% =0.28, and this indicates that 2% =0.02 of the transition is compared to the defense success, and 2% +20% (threshold s) of the transition is used to obtain the next round of transition probability d=22% =0.22, and further c=1-22% =0.78. The threshold s is preset, and a specific threshold is selected for the transition difference value (the difference value is 2% in this example) in different regions, so as to ensure that the transition probability is smaller than 1 and larger than 0.
Among the probabilities b of successful defense occurring in the present round, the calculation mode of the probability e of successful attack transition to the next round (transition probability of the next round) is as follows: the total defending success rate x' (total defending success times/total simulation times) in history (the number of the current round and the previous round) is known through a history database; obtaining the defense success probability b (the defense success times of the round/the total simulation times of the round) in the round through a historical database; calculating the probability e, e=s '+ (x' -b) of successful defense occurrence in the current round of attack transition to the next round of attack success; where s' is a threshold value, since e+f=1, f can be obtained.
For example, the historical total defending success rate x '=70% =0.7, the defending success rate b=72% =0.72 of the present round, which indicates that 2% =0.02 of the transition is transferred into the attack success, and the 2% +30% (threshold s') of the transition results in the transition probability e=32% =0.32 of the next round, and f=1-32% =0.68. Wherein the threshold s' is preset and a specific threshold is selected for the transition difference value (in this case, the difference value is 2%) in different regions, so as to ensure that the transition probability is smaller than 1 and larger than 0.
To sum up, in the next round, the probability of attack success g=0.28×0.78+0.72×0.32= 0.4488, and the probability of defense success h=0.28×0.22+0.72×0.68= 0.5512. And calculating the attack success probability and the defense success probability of the equipment in the next round, so that the risk that the equipment possibly invades is known, and the equipment is improved in a tracing manner in time.
The application adopts the idea of a Markov chain algorithm. The Markov transfer matrix method model formula is as follows: x (k+1) =x (k) ×p; x (k) represents a state vector of the trend analysis and prediction object at time t=k, P represents a one-step transition probability matrix, and X (k+1) represents a state vector of the trend analysis and prediction object at time t=k+1.
The main network bandwidth resource of the production environment is greatly saved under the simulated attack scene of the SRv network environment through the content. And in addition, carrying out secondary flow simulation attack on the network outlets of all the attacked devices through the SRv non-production environment main network. The number of results of the attack and defense exercise defenses between the branches SRv network, headquarter and branch SRv network, whether the defensive rules or policies are valid. Comprehensively judging the security of the network outlet of the attacked network, thereby pertinently enhancing the defending capability of the network outlet.
In the first attack and defense exercise, the current divider copies the result data of the self attack and defense exercise of the attacked network device and forwards the result data to the analysis device for analysis.
In the second attack and defense exercise, the analysis equipment sends an attack program of the analysis equipment to the attacked network equipment by combining the attack flow sent by the splitter and a SRv protocol as an original message; after the result is obtained, a copy of the result is duplicated through a splitter and sent to analysis equipment for analysis.
Among them, the "attack procedure" constructs (prior art).
1. The third party function library scapy in the python development language itself is used to send, sniff, parse and forge the network packets. And packaging the forged network data packet into a flow tcp and udp protocol message, setting a network port range, orderly transmitting the flow tcp and udp protocol message in three layers by utilizing the sr1 module, and if a return result is received, indicating that the port is open. (sr 1: transmitting three layers of packets).
2. And accessing a normal database for the received network port IP as a query condition to obtain the application corresponding to the network port.
3. For application encapsulation attack data packets, using Ether (IP (TCP ()) type messages or Ether (IP (UDP ()))) type messages, setting a sending interval (seconds) by using a sendp () module, setting whether the loop needs to be sent all the time, and sending a two-layer attack message. (sendp: send two-layer packet, inter: packet send interval (seconds), loop: set program to set this item to 1 at all times, otherwise set to 0). Through the steps, a round of simulation attack aiming at the network strategy is completed.
Among them, construction (prior art) [ defense procedure ].
By the python program execution, the destination port uses the sniff () function to sniff the packet and filter the packet. The sniff function is to sniff and grab packets, filter sets filtering conditions for the packets, sniffs and grab packets for the scheduled network policy, analyze packet quintuple (source address, destination address, source port, destination port, protocol) for the sniffed packets, and then store the packets in a classified manner by adding a time stamp. If a certain source address accesses the application ports of the intranet in a large amount within a certain time range, the attack message can be judged and defended.
Among them, explanation about related concepts is as follows (prior art).
1. What is SRv.
SRv6 is a network forwarding technology, SR refers to Segment Routing technology, v6 refers to native IPv6, SRv6 is IPv6+segment Routing.
The SR-MPLS uses 4 byte label to identify path information, the MPLS label can only identify label value, TTL and label stack bottom, without expansion information ability. Unlike segments of SR MPLS, segments of SRv have 128bits and are divided into three parts:
locator (location identifier): the identity assigned to a network node in the network may be used to route and forward data packets. The Locator has two important attributes, routable and aggregated. The Locator is a variable length part in SRv SID to adapt to different size networks.
Function (Function): the device assigns an ID value to the local forwarding instruction that can be used to express the forwarding action that the device is required to perform, corresponding to the opcode of the computer instruction. In SRv network programming, different forwarding behaviors are expressed by different function IDs. The function ID is somewhat similar to MPLS labels and is used to identify VPN forwarding instances, etc.
Args (variable): the parameters needed at the time of execution of the forwarding instruction may include flows, services or any other relevant variable information.
In a word, SRv has two forwarding attributes of routing and MPLS at the same time, has TE traffic engineering capability, expansibility capability and IPv6 compatibility, is convenient for future fixed-shift fusion, and realizes the unification of IP forwarding technology.
2. A shunt.
Network splitters are used in network Intrusion Detection Systems (IDS), network probes, and analyzers. Port mirror image, the shunting mode, divide the UTP link (unshielded link) monitored into two with TAP shunting equipment, the data that shunts is cut into the collection interface, collect the data for the information security monitoring system of Internet. The function is as follows:
1. protocol conversion
Since the mainstream internet data communication interfaces adopted by ISPs are 40G POS, 10G POS/WAN/LAN, 2.5G POS, GE, etc., and the data receiving interfaces adopted by application servers are GE and 10GE LAN interfaces, protocol conversion generally mentioned on the internet communication interfaces mainly refers to conversion between 40G POS, 10G POS and 2.5G POS to 10GE LAN or GE, and bidirectional co-conversion between 10GE WAN to 10GE LAN, GE.
2. Data acquisition and distribution
Most data acquisition applications basically only extract traffic of interest and discard traffic of no interest. Data traffic of a specific IP, a specific protocol and a specific port are extracted by means of convergence of quintuple (source IP, destination IP, source port, destination port and protocol) for the traffic concerned. When outputting, according to a specific HASH algorithm, the homologous and homologous output and the load balancing output are ensured.
3. Feature code filtering
For the collection of P2P traffic, the application system is likely to only focus on certain traffic among them, such as: the feature codes such as the keywords GET and POST which are common on the streaming media PPStream, BT, xunda, http and the like can be extracted and converged by adopting a feature code matching mode. The splitter supports fixed position signature filtering and floating signature filtering. The floating feature code is the offset specified on the basis of the implementation of the feature code at a fixed position, and is suitable for the application of the feature code which definitely needs to be filtered, but the specific position of the feature code is not definitely.
4. Session management
Traffic identification is performed on the session connection, and session forwarding N values (n=1 to 1024) can be flexibly configured. The first N messages of each session are extracted and forwarded to the application analysis system at the back end, and the messages with N values are discarded, so that the resource cost is saved for the downstream application analysis platform. Typically, when an IDS is used to monitor an event, it is not necessary to process all packets of an entire session, and analysis and monitoring of the event can be accomplished by merely extracting the first N packets of each session.
5. Data mirroring and copying
The splitter can realize the mirror image and the duplication of the data on the output interface, and ensures the data access of a plurality of sets of application systems.
3. The pyton language.
Python itself is designed to be extensible. Not all features and functions are integrated into the language core. Python provides rich APIs and tools so that programmers can easily write extension modules using C language, c++, cython. The Python compiler itself may also be integrated into other programs that require a scripting language.
Embeddability: python may be embedded in a C/C++ program to provide script functionality to the program user.
Rich library: the Python standard library is indeed very large. It may help handle various tasks including regular expressions, document generation, unit testing, threads, databases, web browsers, CGI, FTP, email, XML-RPC, HTML, WAV files, cryptographic systems, GUIs (graphical user interfaces), tks, and other system-related operations. This is called the "fully functional" concept of Python. In addition to standard libraries, there are many other high quality libraries, such as wxPython, twisted and Python image libraries, and the like.
4. pyton- > scapy function library.
Scapy is a Python program that enables users to send, sniff and parse and forge network packets. This function allows the construction of tools that can detect, scan or attack the network. In other words, scapy is a powerful interactive packet operator. It is capable of forging or decoding a large number of protocol data packets, transmitting them over the line, capturing them, matching requests and replies, etc. Scapy can easily handle most classical tasks like scanning, traceroute, probing, unit testing, attacks or network discovery. It may replace some parts of hping, arpspoof, arp-sk, arping, p0f or even Nmap, tcpdump and tshark.
5. A pyton- > sr1 module.
Scapy is a powerful tool written by Python, and many excellent network scanning attack tools currently use this module. The module can also be used in own program to realize the sending, monitoring and analyzing of the network data packet. This module is lower than Nmap. Various scanning attack behaviors in the network can be intuitively known.
For example, when you go to a hospital to examine the body, the hospital gives you a check on the body's various indices, and the doctor also tells you what kind of disease you get or no one. Then Nmap is just like a doctor, who will lay his mind-cut to provide your results according to his experience. Scapy, like a physical examination device, only tells you about the results of various examinations, if you are himself-a doctor with a lot of experience, it is obvious that the examination results are more worth consulting than the advice of the same person.
6. pyton- > sendp module.
sendp: sending a two-layer data packet, and Inter: packet transmission interval (seconds), loop: setting the program to set the item to 1 if it is always sent, otherwise setting 0.
It should be noted that the terms like "upper", "lower", "left", "right", "front", "rear", and the like are also used for descriptive purposes only and are not intended to limit the scope of the application in which the application may be practiced, but rather the relative relationship of the terms may be altered or modified without materially altering the teachings of the application.
The above is only a preferred embodiment of the present application, and the protection scope of the present application is not limited to the above examples, and all technical solutions belonging to the concept of the present application belong to the protection scope of the present application. It should be noted that modifications and adaptations to the application without departing from the principles thereof are intended to be within the scope of the application as set forth in the following claims.
Claims (8)
1. A method for attack and defense exercise based on SRv6 network protocol, which is characterized by comprising the following steps:
s1: first attack and defense exercise;
s1.1: the simulated attack network device sends an attack instruction to the attacked network device;
s1.2: after the attacked network equipment receives the attack instruction, self-attack and self-defense simulation attack and defense exercise are carried out according to the attack program and the defense program contained by the attacked network equipment;
s1.3: the attacked network equipment sends the self-attack and defense exercise result data to the analysis equipment;
s2: attack and defense exercise for the second time;
s2.1: the analysis device attacks the attacked network device; the attacked device defends through a defending program of the attacked device;
s2.2: the attacked network equipment transmits exercise result data of attack and defense by the analysis equipment to the analysis equipment;
s3: the analysis equipment analyzes according to the result data of the attack and defense exercise in the round;
s3.1: the analysis equipment acquires attack success probability a and defense success probability b in the attack and defense exercise results in the round according to the historical database, wherein a+b=1;
s3.2: the analysis equipment analyzes that the probability of keeping the success of the attack in the next round is c under the condition of success of the attack according to the historical database, and the probability of transferring the next round to the success of defending is d under the condition of success of the attack; the probability of successful attack is e in the next round of transition in the case of successful defense, and the probability of successful defense is f in the next round of transition in the case of successful defense; wherein c+d=1, e+f=1;
s3.3: the analysis equipment calculates the probability g of successful attack and the probability h of successful defense in the next round of attack and defense exercise result; wherein g=a×c+b×e; h=a+b+f; and g+h=1.
2. The method for performing attack and defense exercise based on SRv network protocol according to claim 1, wherein the simulated attack network device and the attacked network device are all interworked through SRv production environment main network; the analysis device is deployed in a non-SRv 6 production environment.
3. The method for performing attack and defense exercise based on SRv network protocol according to claim 1, wherein the specific content of step S1.1 is as follows:
the simulated attack network device takes the attack information instruction identifier Local Start as an original message, packages the message by using an SRH format and then sends the message to a network port of the attacked network device.
4. The method for attack and defense exercise based on SRv network protocol according to claim 1, wherein the specific content of the attack by the analysis device to the attacked network device in step S2.1 is:
the analysis equipment combines the attack program, the flow distributed by the flow divider and the SRv protocol as original messages, uses the SRH format to package the messages and then sends the messages to the network port of the attacked network equipment.
5. The attack and defense exercise system based on SRv6 network protocol is characterized by comprising an attack simulating network device, wherein the attack simulating network device is used for sending an attack instruction to the attacked network device;
the attacked network equipment is used for carrying out self-attack and self-defense simulation attack and defense exercise according to the attack program and the defense program contained by the attacked network equipment after receiving the attack instruction; and transmitting the result data of the self-attack and defense exercise to analysis equipment;
the analysis device is used for attacking the attacked network device; the attacked device defends through a defending program of the attacked device; the attacked network equipment transmits exercise result data of attack and defense by the analysis equipment to the analysis equipment;
the analysis equipment analyzes according to the attack and defense exercise result data, and the specific contents are as follows:
the analysis equipment is used for acquiring attack success probability a and defense success probability b in the attack and defense exercise results in the round according to the historical database, wherein a+b=1;
the analysis equipment is used for analyzing that the probability of keeping the success of the attack in the next round is c under the condition that the attack is successful according to the historical database, and the probability of transferring the attack to the defending success in the next round is d under the condition that the attack is successful; the probability of successful attack is e in the next round of transition in the case of successful defense, and the probability of successful defense is f in the next round of transition in the case of successful defense; wherein c+d=1, e+f=1;
the analysis equipment is used for calculating the probability g of successful attack and the probability h of successful defense in the next round of attack and defense exercise result; wherein g=a×c+b×e; h=a+b+f; and g+h=1.
6. The system for performing attack and defense exercise based on SRv6 network protocol according to claim 5, wherein the simulated attack network device and the attacked network device are all interworked through SRv6 production environment main network; the analysis device is deployed in a non-SRv 6 production environment.
7. The system for attack and defense exercise according to claim 5 wherein the specific content of the simulated attack network device sending the attack instruction to the attacked network device is:
the simulated attack network device is used for taking the attack information instruction identifier Local Start as an original message, packaging the message by using an SRH format and then transmitting the message to a network port of the attacked network device.
8. The system for attack and defense exercise according to claim 5 wherein the specific content of the analysis device's attack on the attacked network device is:
the analysis device is used for combining the attack program of the analysis device, the flow distributed by the flow divider and the SRv protocol as an original message, and sending the original message to the network port of the attacked network device after the message is packaged by using the SRH format.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111533299.3A CN114301640B (en) | 2021-12-15 | 2021-12-15 | Attack and defense exercise method and system based on SRv6 network protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111533299.3A CN114301640B (en) | 2021-12-15 | 2021-12-15 | Attack and defense exercise method and system based on SRv6 network protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301640A CN114301640A (en) | 2022-04-08 |
| CN114301640B true CN114301640B (en) | 2023-09-01 |
Family
ID=80967610
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111533299.3A Active CN114301640B (en) | 2021-12-15 | 2021-12-15 | Attack and defense exercise method and system based on SRv6 network protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301640B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116112376A (en) * | 2022-12-20 | 2023-05-12 | 盛东如东海上风力发电有限责任公司 | Flooding attack and defense exercise method and device based on programmable switch |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101488890A (en) * | 2009-01-14 | 2009-07-22 | 成都市华为赛门铁克科技有限公司 | Method and system for network attack test |
| CN101699815A (en) * | 2009-10-30 | 2010-04-28 | 华南师范大学 | Network attack automatic execution/exhibition system and method |
| CN107395597A (en) * | 2017-07-25 | 2017-11-24 | 合肥红铭网络科技有限公司 | A kind of fictitious host computer defends optimization method |
| CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
| CN109818985A (en) * | 2019-04-11 | 2019-05-28 | 江苏亨通工控安全研究院有限公司 | A kind of industrial control system loophole trend analysis and method for early warning and system |
| CN110149324A (en) * | 2019-05-13 | 2019-08-20 | 特斯联(北京)科技有限公司 | A kind of network anti-attack method, device and equipment |
| CN112367337A (en) * | 2020-11-26 | 2021-02-12 | 杭州安恒信息技术股份有限公司 | Network security attack and defense method, device and medium |
| CN112398781A (en) * | 2019-08-14 | 2021-02-23 | 大唐移动通信设备有限公司 | Attack testing method, host server and control server |
| CN112714138A (en) * | 2021-03-29 | 2021-04-27 | 北京网测科技有限公司 | Test method, device, equipment and storage medium based on attack flow |
| CN112995176A (en) * | 2021-02-25 | 2021-06-18 | 国电南瑞科技股份有限公司 | Network attack reachability calculation method and device applied to power communication network |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8516596B2 (en) * | 2010-01-26 | 2013-08-20 | Raytheon Company | Cyber attack analysis |
| WO2017116525A2 (en) * | 2015-10-08 | 2017-07-06 | Siege Technologies LLC | Assessing effectiveness of cybersecurity technologies |
-
2021
- 2021-12-15 CN CN202111533299.3A patent/CN114301640B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101488890A (en) * | 2009-01-14 | 2009-07-22 | 成都市华为赛门铁克科技有限公司 | Method and system for network attack test |
| CN101699815A (en) * | 2009-10-30 | 2010-04-28 | 华南师范大学 | Network attack automatic execution/exhibition system and method |
| CN107395597A (en) * | 2017-07-25 | 2017-11-24 | 合肥红铭网络科技有限公司 | A kind of fictitious host computer defends optimization method |
| CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
| CN109818985A (en) * | 2019-04-11 | 2019-05-28 | 江苏亨通工控安全研究院有限公司 | A kind of industrial control system loophole trend analysis and method for early warning and system |
| CN110149324A (en) * | 2019-05-13 | 2019-08-20 | 特斯联(北京)科技有限公司 | A kind of network anti-attack method, device and equipment |
| CN112398781A (en) * | 2019-08-14 | 2021-02-23 | 大唐移动通信设备有限公司 | Attack testing method, host server and control server |
| CN112367337A (en) * | 2020-11-26 | 2021-02-12 | 杭州安恒信息技术股份有限公司 | Network security attack and defense method, device and medium |
| CN112995176A (en) * | 2021-02-25 | 2021-06-18 | 国电南瑞科技股份有限公司 | Network attack reachability calculation method and device applied to power communication network |
| CN112714138A (en) * | 2021-03-29 | 2021-04-27 | 北京网测科技有限公司 | Test method, device, equipment and storage medium based on attack flow |
Non-Patent Citations (1)
| Title |
|---|
| IPv6下基于源地址验证的DRDoS攻击防御方案研究;翟瑞;李丁蓬;付顺顺;;软件导刊(01);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301640A (en) | 2022-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11038744B2 (en) | Triggered in-band operations, administration, and maintenance in a network environment | |
| EP1742416B1 (en) | Method, computer readable medium and system for analyzing and management of application traffic on networks | |
| CN102307123B (en) | NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic | |
| CN101924757B (en) | Method and system for reviewing Botnet | |
| CN104115463A (en) | A streaming method and system for processing network metadata | |
| CN109766695A (en) | A kind of network security situational awareness method and system based on fusion decision | |
| CN109271793A (en) | Internet of Things cloud platform device class recognition methods and system | |
| CN110392039A (en) | Network system events source tracing method and system based on log and flow collection | |
| CN109818820A (en) | Data on flows monitoring method, device, electronic equipment and storage medium | |
| CN114301640B (en) | Attack and defense exercise method and system based on SRv6 network protocol | |
| CN112350854A (en) | Flow fault positioning method, device, equipment and storage medium | |
| CN110113205A (en) | A kind of network troubleshooting system and its working method based on software defined network technology | |
| Qiu et al. | Global Flow Table: A convincing mechanism for security operations in SDN | |
| CN110071843A (en) | A kind of Fault Locating Method and device based on flow path analysis | |
| CN109547257A (en) | Method for controlling network flow, device, equipment, system and storage medium | |
| CN108494625A (en) | A kind of analysis system on network performance evaluation | |
| CN114553546B (en) | Message grabbing method and device based on network application | |
| CN104584515B (en) | Analyzing communication configuration in Process Control System | |
| CN104125440B (en) | The screen monitor system and monitoring method of cloud computing | |
| Xia et al. | Resource optimization for service chain monitoring in software-defined networks | |
| EP3474489B1 (en) | A method and a system to enable a (re-)configuration of a telecommunications network | |
| WO2023092769A1 (en) | Comprehensive determination method and system for network traffic scheduling | |
| CN114338103B (en) | Abnormal flow position method and system based on TR069 protocol combined log analysis | |
| CN116996392B (en) | Flow path reconstruction method and system based on weighted directed graph algorithm | |
| Liu et al. | Brownfield Measurement: A Practical Grey Failure Identification and Localization Method in Incremental Deployment Network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |